Privacy Policy

We collect only what's necessary to operate the Platform:

• Wallet address — your Ethereum wallet address, used as your primary identifier. Stored in our database and used for NFT lookups and on-chain features.
• Email address — collected via Privy if you sign in with email. Used to associate your Privy identity with your account. Never shared publicly.
• Privy DID — a cross-device identity token from Privy that links your account across devices. Never exposed publicly.
• IP address — collected transiently for rate limiting purposes. Not stored in our database.
• Push notification tokens — stored if you opt in to push notifications. Used solely to send you notifications you've enabled.
• Content you create — notes, follows, reactions, profile information (username, bio, avatar, social links). This is the core data of the Platform and is stored in our database.
• Calendar events — if you use the Calendar shelf. Stored privately; not shared publicly unless you choose to display them.

Running the Platform requires us to share data with trusted infrastructure providers:

• Privy — handles authentication. Privy stores your email address, wallet address, and DID. Their Privacy Policy applies.
• Alchemy — used for NFT lookups and on-chain data. Your wallet address is sent to Alchemy when your NFT collection or tier is fetched. Their Privacy Policy applies.
• Neon — our PostgreSQL database provider. All Platform data is stored on Neon-hosted infrastructure. Neon's Privacy Policy applies.
• Upstash — used for rate limiting (Redis). Temporarily stores IP-based counters with short TTLs. No personal identifiers are stored.
• Vercel — hosts the Platform. Vercel receives all HTTP requests and logs associated metadata (IP, headers, request paths). Their Privacy Policy applies.

We do not sell your data. We do not use advertising networks or analytics beyond Vercel's built-in analytics (which is privacy-preserving and does not use cookies).

We use collected data solely to:

• Authenticate you and maintain your session.
• Display your profile and content to other users.
• Verify NFT ownership to grant platform tier access.
• Send push notifications for events you've opted into (yums, follows, replies, etc.).
• Rate-limit requests to protect Platform stability.
• Display your ENS name or avatar if available on-chain.

We do not use your data for advertising, profiling, or sale to third parties.

• Account data — retained until you delete your account via Settings → Delete Account. Deletion permanently removes your profile, notes, follows, reactions, notifications, and push subscriptions.
• Session cookie — expires automatically after 7 days of inactivity. You can sign out at any time to destroy your session immediately.
• Rate limit counters — stored in Redis with a 1-hour TTL. Automatically deleted.
• Push subscriptions — retained until you delete your account or revoke notification permission in your browser settings.

Regardless of where you are located, you have the following rights:

• Right to deletion — delete your account and all associated data at any time via Settings → Delete Account.
• Right to access — request a copy of your personal data by contacting us (see Section 10). We will respond within 30 days.
• Right to portability — a data export feature is in development. Until then, contact us to request your data.
• Right to correction — update your profile information at any time via Settings.

If you are located in the EU and believe your GDPR rights have been violated, you may lodge a complaint with your local data protection authority.

We use a single cookie:

• fridge-session — an encrypted, httpOnly session cookie set after you sign in. Contains your wallet address (encrypted). Expires after 7 days. Required for the Platform to function. Cannot be opted out of while signed in.

We do not use tracking cookies, advertising cookies, or any third-party cookies. Vercel Analytics is cookieless and does not track individuals across sites.

We take the following measures to protect your data:

• Server-side JWT verification — all authentication uses Privy's cryptographically verified access tokens. We never trust client-supplied identity data.
• Encrypted session cookies — sessions are sealed using iron-session with AES-256 encryption. Session secrets are stored as environment variables, never in code.
• HTTPS only — all traffic is encrypted in transit via TLS.
• Rate limiting — all API endpoints are rate-limited to prevent abuse and enumeration.
• Wallet addresses — not returned in public-facing search results.

No security system is perfect. You are responsible for the security of your wallet and seed phrase. We cannot recover lost wallet access.

The Fridge is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we learn we have collected data from a minor, we will delete it promptly. If you believe a minor has created an account, please contact us.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. Material changes may be communicated via the Platform or by email if you have one associated with your account.

Continued use of the Platform after changes are posted constitutes acceptance of the updated Policy.

For privacy requests, data access, or questions about this Policy, contact us at:

• X (Twitter): @TheFridgeIo